Win32/Bflient [Threat Name] go to Threat
Win32/Bflient.K [Threat Variant Name]
|Detection created||Aug 17, 2010|
|Signature database version||10166|
Win32/Bflient.K is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .
When executed, the worm copies itself into the following location:
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Taskman" = "%appdata%\sjlp.exe"
- "Shell" = "explorer.exe,%appdata%\sjlp.exe"
Spreading on removable media
The worm copies itself to the following location:
The worm creates the following file:
Thus, the worm ensures it is started each time infected media is inserted into the computer.
The worm collects the following information:
- user name
- computer name
- operating system version
The worm can send the information to a remote machine.
The worm creates and runs a new thread with its own program code within the following processes:
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (4) URLs.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- open a specific URL address
- update itself to a newer version
- monitor network traffic
- send gathered information